From e468268335dd797c540dbd278541340d8c01a7d1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 4 May 2007 10:21:39 +0000 Subject: r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make winbindd's kerberized pam_auth use that. Guenther (This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7) --- source3/libads/kerberos.c | 32 +++++++++++++++++++++++++++++--- source3/nsswitch/winbindd_cred_cache.c | 6 ++++-- source3/nsswitch/winbindd_pam.c | 4 ++-- 3 files changed, 35 insertions(+), 7 deletions(-) (limited to 'source3') diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index dc3d11a60c..c721b56385 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -189,7 +189,8 @@ int kerberos_kinit_password_ext(const char *principal, const char *cache_name, BOOL request_pac, BOOL add_netbios_addr, - time_t renewable_time) + time_t renewable_time, + NTSTATUS *ntstatus) { krb5_context ctx = NULL; krb5_error_code code = 0; @@ -267,6 +268,29 @@ int kerberos_kinit_password_ext(const char *principal, *renew_till_time = (time_t) my_creds.times.renew_till; } out: + if (ntstatus) { + + NTSTATUS status; + + /* fast path */ + if (code == 0) { + *ntstatus = NT_STATUS_OK; + goto cleanup; + } + + /* try to get ntstatus code out of krb5_error when we have it + * inside the krb5_get_init_creds_opt - gd */ + + if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) { + *ntstatus = status; + goto cleanup; + } + + /* fall back to self-made-mapping */ + *ntstatus = krb5_to_nt_status(code); + } + + cleanup: krb5_free_cred_contents(ctx, &my_creds); if (me) { krb5_free_principal(ctx, me); @@ -321,7 +345,8 @@ int ads_kinit_password(ADS_STRUCT *ads) } ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset, - &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable); + &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable, + NULL); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", @@ -580,7 +605,8 @@ int kerberos_kinit_password(const char *principal, cache_name, False, False, - 0); + 0, + NULL); } /************************************************************************ diff --git a/source3/nsswitch/winbindd_cred_cache.c b/source3/nsswitch/winbindd_cred_cache.c index 368090c390..2c9572d7f8 100644 --- a/source3/nsswitch/winbindd_cred_cache.c +++ b/source3/nsswitch/winbindd_cred_cache.c @@ -111,7 +111,8 @@ static void krb5_ticket_refresh_handler(struct event_context *event_ctx, entry->ccname, False, /* no PAC required anymore */ True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL); gain_root_privilege(); if (ret) { @@ -224,7 +225,8 @@ static void krb5_ticket_gain_handler(struct event_context *event_ctx, entry->ccname, False, /* no PAC required anymore */ True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL); gain_root_privilege(); if (ret) { diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 59bff901ce..97c1ac4b9c 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -564,12 +564,12 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, cc, True, True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + &result); if (krb5_ret) { DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", principal_s, error_message(krb5_ret), krb5_ret)); - result = krb5_to_nt_status(krb5_ret); goto failed; } -- cgit